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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

• Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- tf the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timety. 

• If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )M Responsive to communication(s) filed on 16AuQust 2004 . 
2a)n This action is FINAL. 2b)IE This action is non-final. 

3) n Since this application is in con(jition for allowance except for fomnal matters, prosecution as to the merits is 

closed in accordance with the practice under £x parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1-35 is/are pending in the application. 

4a) Of the above claim{s) is/are withdrawn from consideration. 

5) 13 Claim(s) 18-23,25,27-30 and 35 is/are allowed. 

6M Claim(s) 1-5,7-11,13-17.24,26 and 31-34 is/are rejected. 

7) S Claim(s) 6 and 12 is/are objected to. 

8) 0 Claim(s) ; are subject to restriction and/or election requirement. 

Application Papers 

9) 0 The specification is objected to by the Examiner. 

10)0 The drawing(s) filed on is/are: 3)0 accepted or b)n objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 !)□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)0 Acknowledgment is made of a claim for foreign priority under 35 U.S.C, § 1 19(a)-(d) or (f). 
a)n All b)n Some * c)n None of: 

1 Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

This Office action is in response to Applicant's request for reconsideration filed 
on August 16, 2004. Claims 1-35 are presented for further consideration. These are 
the original claims, which have not been amended. Because Examiner hereby presents 
new grounds for rejection, this action is non-final. 

Response to Arguments 

Applicant has argued that the Parker reference doesn't teach that the ticket is 
adapted to cause a message to be sent to the target application sen/er, as claimed. 
Examiner realizes that the Parker reference does not explicitly state such a step, but still 
believes that Parker inherently includes such a function. Applicant also argues that the 
combined references of Parker and PR do not teach how access information from one 
device to another network device on a different domain through an end user device 
would be carried out. Thus, rather than rely on these arguable references, Examiner 
has elected to issue new grounds for rejection based on the Microsoft reference (cited 
below), which clearly presents a system for allowing multi-domain sign on by passing 
access control information from one domain through a user device to another domain. 
The claim rejections below describe the reference in more detail. 

Claim Rejections - 35 USC § 101 

35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 
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1 . Claim 34 is rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non-statutory subject matter. The claimed invention merely encompasses a 
signal. Because a signal is not one of a process, machine, manufacture, or 
composition of matter, it does not fall within the realm of statutory subject matter. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-5, 7-11, 13-17, 24, 26, and 31-34 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Microsoft (Single Sign-On in Windows 2000 Networks, from 
the Microsoft Website, 1998), in viewof Gadi (U.S. Patent No. 6,629,246). 

In considering claims 1, 24, and 26, Microsoft discloses a method, network 
device, and computer usable medium for conveying access control information (a.c.i.) 
from one network device to another network device on a different domain ("domain", 
"cross-realm referrals in a heterogeneous environment," p. 9, 3) through an end user 
device ("User," Fig. 2), comprising: 

The one network device ("KDC1") in response to a first message received from 
the end user device ("TGT1," step 1) containing access control information ("TGF), 
sending a response message ("TGT2," step 2) to the end user device ("User'') 
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containing the a.c.i. ("TGT"), the response message being adapted to cause the end 
user device to send a second message (TGT2," step 3) to the another network device 
("KDC2") containing at least part of the a.c.i. ("TGT") (see Fig. 2; see also, p. 9, H 3); 

Wherein at least part of the a.c.i. is used to control access to a protected 
resource on the domain associated with at least one of the first and second network 
devices ("Network Resource"). 

Note, that in the Microsoft system, the devices controlling access to the resource 
and the resource are on different computers (i.e. Fig. 2). However, the claim requires 
that the resource be on the same computer as the computer providing the access 
information (i.e. "control access to a protected resource on at least one of the first and 
second network devices "). Nonetheless, it is well known in networking systems for both 
the resource whose access is being controlled and the device controlling access to the 
resource to be on the same computer, as evidenced by Gadi. In a similar art, Gadi 
discloses a single sign-on network system for allowing a remote user to access a 
resource on a network domain, wherein the access rights are controlled by the same 
server that stores the resource (col. 6, lines 29-35; col. 7, lines 30-44, wherein the "web 
server" controls access to a resource which is on the server itself). Such a system is 
beneficial because it avoids the need for extra network communications between a 
standalone access server and a resource server. Given this teaching, it would have 
been obvious to include both the KDC2 functionality and the Network Resource 
functionality taught by Microsoft in the same computer, to avoid unnecessary network 
traffic. 
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In considering claim 2, Microsoft further discloses that the response message 
contains the a.c.i. ("TGT") and a network device identifier for the another network device 
("KDC2"). Parker further discloses that the second message contains at least part of 
the a.c.i. ("TGT"). 

However, neither Microsoft nor PR discuss which part of the communication 
packet (i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed 
in claim 2, rather than in the header portion, would have been obvious to a person 
having ordinary skill in the art to simplify header processing of the packet. 

In considering claim 3, Microsoft further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message (i.e. the access ticket "TGT" is extracted from the response and placed in the 
response message for delivery to the User). 

However, neither Microsoft nor PR discuss which part of the communication 
packet (i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i. in the header portion, as claimed 
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in claim 3, rather than in the content portion, would have been obvious to a person 
having ordinary skill in the art to simplify content processing of the packet. 

In considering claim 4, Microsoft further discloses that the first message has a 
header portion and a content portion (inherent in any Internet communication system), 
and further discloses extracting the a.c.i. from the packet for use in the response 
message ("TGT" is extracted and used in the response). 

However, neither Microsoft nor PR discuss which part of the communication 
packet (i.e. header or content portion) contains the a.c.i. Nonetheless, Examiner takes 
official notice that including information in either the header or content portion of a data 
packet is well known in the art. Thus, storing the a.c.i. in the content portion, as claimed 
in claim 4, rather than in the header portion, would have been obvious to a person 
having ordinary skill in the art to simplify header processing of the packet. 

In considering claim 5, Microsoft further discloses that hidden content is used in 
the response message to contain the a.c.i. (the "TGT" is not actually seen by the user). 

In considering claim 7, Microsoft further discloses formatting the messages as a 
custom content type (i.e. Kerberos protocol). 

In considering claim 8, Microsoft further discloses that at least part of the 
response message is protected by cryptographic means ("SSL"). 
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In considering claim 9, Gadi further teaches the use of the single sign-on system 
for HTTP requests (i.e. Web access). Given this knowledge, it would have been 
obvious for the messages taught by Microsoft to be HTTP messages, so that the 
Microsoft system could be used with the majority of Internet applications and 
documents. 

In considering claim 10, Microsoft further discloses that the a.c.i. is a ticket. 
Although Microsoft does not explicitly use the term "cookie" or describe the use of 
cookies, the ticket taught by Parker performs the same function as a "cookie" - i.e. it 
sends authentication information to the server being accessed. 

In considering claims 11 and 14, Microsoft further discloses containing user- 
specific information in the response message together with instructions to include at 
least part of the user-specific information in the second message (i.e. the "TGF is user- 
specific information, and the KDC2 information instructs the User device to send the 
second message to KDC2. 

In considering claim 13, Microsoft further discloses that the one network device is 
an initial network device accessed by the end user device, the method further 
comprising: 

Prior to sending the response message. 
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a. the initial network device receiving an initial access request from 
the end user device to access a protected resource on the initial network device; 

b. the initial network device performing an authentication process to 
determine if access should be granted ("authenticates") and if so, responding 
with an access response message specifying the a.c.i. ("TGT is returned") in 
association with the domain of the initial network device and causing the end 
user device to send the first message (p. 2, last paragraph, "user session 
presents the TGT to the domain controller"); and 

On an ongoing basis after performing the authentication process allowing 
subsequent access to the protected resource to requests containing the access control 
information (the user will use the TGT for the remainder of the session). 

In considering claim 15, Microsoft further discloses that the user specific 
information comprises at least one of purchase enabling information and personal data 
("user ids and passwords," p. 9, ^ 3). 

In considering claim 16, Microsoft further discloses requiring user acceptance 
before including the at least part of the user-specific information in the second message 
(i.e. the user must supply a password to begin the session). 

In considering claim 17, Microsoft further discloses protecting the a.c.i. 
information via cryptographic means (SSL). 
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In considering claim 24, Microsoft furtlier discloses a network device adapted to 
implement the method of claim 1 . 

In considering claim 26, Microsoft further discloses a computer usable medium 
for implementing the method of claim 1 . 

In considering claims 31 , claim 31 is rejected for the same reasons stated with 
respect to claims 1 and 2 previously. 

In considering claims 32-33, claims 32-33 are rejected for the same reasons 
stated with respect to claim 13. 

Claim 34 contains the same limitations as claim 31 , and is thus rejected for the 
same reasons. 

Allowable Subject Matter 

3. Claims 18-23, 25, and 27-30, and 35 are allowed. 

Claims 6, and 12 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 
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The following is a statement of reasons for the indication of allowable subject 
matter: In considering claims 23, 25. 35, 6, and 12, the prior art of record fails to 
disclose or render obvious all of the limitations of the claim. Claims 27-30 depend from 
claim 23, and thus are allowable as well. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Bradley Edelman whose telephone number is 571-272- 
3953. The examiner can normally be reached from 9 a.m. to 5 p.m. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Glen Burgess can be reached at 571-272-3949. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (BBC) at 866-217-9197 (toll-free). 



Conclusion 




June 13, 2005 



